Hit ENTER after each Tag to add it to your post; Numbers in parentheses represent the Tag's usage.

I just upgraded our mail server to version 12 and running checks now to make sure it is working. I went to http://mxtoolbox.com and these errors or problems were detected. What do I need to do to support TLS? Why is the transaction time so long. I'm currently running the smartermail mail server...so I'm wondering if that is the reason? I tried getting my IIS to work after the upgrade and it doesn't seem to be working so I left it on the SmarterMail server for now.

Also, under the server blacklist check it says TRUE for RHSBL. I don't see this showing up on mxtoolbox.com. How do I get off of RHSBL?

SMTP TLS

Warning - Does not support TLS.

SMTP Transaction Time

16.910 seconds - Not good! on Transaction Time

Report Abuse

Offensive Language

Wrong Category

Spam

7 Replies

When you say TLS is not working after the upgrade...are you implying that TLS was working prior to the upgrade?

Re the transaction times, again, was this faster before the upgrade? Transaction times can vary depending on server speed. I would look into why IIS is not working....any errors etc. The built-in webserver will be slower than IIS especially with the larger environment.

Report Abuse

Offensive Language

Wrong Category

Spam

No, I don't believe version 4 of Mailsite even supported TLS. I'm asking generically how do I solve these problems? Transaction time was faster before but yes, I was using IIS.Michael BarberFebruary 9, 2015 at 10:24 AM

As to RHSBL, you are also not following me. Mailsite says there is a problem with RHSBL; however, Mxtoobox.com says there is NO problem with RHSBL. Which is it? Also, if you go to your link, it says to go to http://mailhosts.org/ ; however, there is NO SUCH website?Michael BarberFebruary 9, 2015 at 10:28 AM

Ban IP Address

Delete Confirmation

- Sorry, as you said upgrade I assumed you were using SM before going to 12.x. Understand now that you have actually migrated from one mail server (MailSite) to SM. In that case, you need to follow the guide here:

The guide will take you through the TLS process. However, if you are setting up SM 12.x for the first time I suggest you download the antispam guide that Bruce Barnes has written...all off his own back....it not only is one of THE best guides to use but it also takes you through or links to TLS info IIRC:

- If you supply the domain or mail server FQDN we can have a look for you re the RHSBL.

- One final thing....if I were you I would troubleshoot the issue why you cannot run SM using IIS and then start looking at other issues / setup. It's much faster and also allows for better troubleshooting IMHO. I have a funny feeling TLS will not work with the built-in web server too...I might be wrong there though.

Report Abuse

Offensive Language

Wrong Category

Spam

Mail server is .: mail (dot) comcity [dot] com. Thanks for checking out the RHSBL. Agreed, I need to get IIS running...working on that next.Michael BarberFebruary 9, 2015 at 1:56 PM

I have checked the normal lists and your mail server IP address is not showing. However, it is showing in a few lessor known lists. You can check here: http://mail-blacklist-checker.online-domain-tools.com/ Useful tool that should also link you to the Delist or FAQs for the corresponding blacklists. Just hover over the (?) on any lists. In all honesty though, I would look at the IIS issue and then pretty quickly start securing your email server. As it's got no SSL cert I cannot verify much else for you. You will need an SSL cert to support TLS too. CCWHFebruary 9, 2015 at 3:11 PM

Well one problem with the TLS/SSL is that we need to be able to do some relaying via Cdonts/Cdosys, and asp.net system.net.mail calls. Is it possible for all the mail to require TLS EXCEPT for some emails addresses or some ip addresses? In other words, does TLS work with only some email clients because we need to be able to send email programmatically from applications that are "client-less"?Michael BarberFebruary 9, 2015 at 3:40 PM

You can add whitelists to allow relay from certain IP addresses/gateways I believe. Go to Security > SMTP Authentication Bypass > Add the incoming IP Address(es) - However we have never used it....not best practice I wouldn't have thought. Just found this which might help for your Transaction Times: http://portal.smartertools.com/kb/a2912/slow-250-response-after-mail-from-command-is-issued-during-an-smtp-session_.aspx Before going through the troubleshooting points I would go through the antispam guide first as slow DNS/Spam checks could be a major issue along with not using IIS. **EDIT** You can still implement TLS but not force it until you have sorted the other relay issues.CCWHFebruary 9, 2015 at 3:46 PM

Ok, I got IIS working but it still has a response time of 16.4 seconds so something is still slow. I changed the DNS to the Google DNS settings and it went from 16 seconds to 14 seconds so its NOT the DNS.Michael BarberFebruary 10, 2015 at 10:05 AM

Great news re IIS...far more robust than the built-in server. If the response time has gone down but only by two seconds and you have also tried changing the DNS then I would suggest disabling all spam checks and see if it changes. Sometimes if there is a slow response from an RBL check then it can cause response delays. Might be worth going through the antispam guide mentioned above.CCWHFebruary 10, 2015 at 10:14 AM

Thanks for your help. I'm going to tackle the TLS next but I fear this might be a problem because I don't understand how this relates to programmatic/automatic emailing by asp and asp.net application services of which we heavily rely on for business processes.Michael BarberFebruary 10, 2015 at 10:28 AM

No worries. Re the asp relay requirement...it's pretty straightforward to code in AspEmail (it supports TLS). If you are the mail server admin it should be a pre-requisite to use authentication for sites, no matter php or asp, to use a secure authentication method. From a business perspective, it's their clients data being put at risk...important stuff and well worth pushing for.CCWHFebruary 10, 2015 at 10:38 AM

Yes, to enable TLS you just need to add enableSsl="true" into the code if using the web.config. Re not expecting clients to support third party, yes, that's right. However, from a business security perspective it really should be expected that if a client is building or has created the code then they should be responsible to make it secure....some clients will not do it willingly and need a helpful nudge!CCWHFebruary 10, 2015 at 11:06 AM

Ban IP Address

Delete Confirmation

Do you have to buy an SSL to enable TLS or can you just use a free (self-signed) SSL certificate? I'm not following the help article at all http://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx I understand the certificate export process. However, it tells you to create a port but doesn't tell you want to put in for any of the fields. Also, is it possible to only use TLS on some of the domains or do all the domains using the mail server have to have their own TLS certificate. Very confusing help article.

Also, settings>>protocol settings has an ssl checkbox...what about that. The article doesn't address if that has to be clicked on or not.

Ban IP Address

Delete Confirmation

If this is the first time setting up an SSL cert for an email server it is a learning curve and yes, I do agree there does not seem to be one full document that gives full step by step instructions. Not that I have found anyway.

Re the purchasing of a cert, you can use a self-issued one but then email clients may not trust it...that's in essence why there are known good Certificate Authorities. You might as well purchase a £($)10 certificate and it's then sorted. However, if your clients currently use their own domains to connect to the email server, i.e. mail.clientdomain.com, then you will either have to setup SSL certs for each and every domain OR do what is normal practice and make sure all clients use your domain with the certificate. They can then use mail.yourdomain.com for the mail and then also you can link it to the webmail.yourdomain.com and use https if you decided to use a Wildcard cert.

We made the transition last year and even though we were apprehensive it actually was welcomed by the clients as we sold it, rightly so, as a security upgrade. From an email admin point of view it is FAR easier to administer too!

You can't force SSL/TLS on some domains and not others as far as I am aware. You can implement SSL/TLS and still allow unsecured connections to take place...however even though that is better than nothing it's still leaving a security hole on each connection to the server so better to block 110/143.

The SSL check boxes within Security > Protocol Settings are when or if you configure autodiscover for when email clients are being configured. It's great to use, however it's lower down on your to do list ;-)

Report Abuse

Offensive Language

Wrong Category

Spam

The thing I'm missing is if I go TLS (as ssl is obsolete) Port 25, 110 and 143 are already configured and the instruction describe setting up a new port from what I can understand. Also, you say block 110/143, what port would they pop too then? I'm not clear of what ports to create, what ports to simple change and what are the normal ports used in email TLS....Michael BarberFebruary 11, 2015 at 1:33 PM

Ban IP Address

Delete Confirmation

If you block 110/143, what port would they pop too under TLS?
- Sorry...just taken a second look at what I said, must have been half asleep...the ports we have blocked are for the SSL POP & IMAP, so 993/995. TLS, as you mentioned, does indeed run on the standard ports. Here's our overview of ports configured on the test server (note that we have left the old ones and the SSL but we do not have these configured within the IP Bindings):

If I setup TLS (as ssl is obsolete) Port 25, 110 and 143 are already configured and the instruction describe setting up a new port from what I read. What NEW ports need to be created?
- As seen in the above image, you have to recreate the ports but select TLS and also the Certificate:
Note that you have to have already followed the export guide to export your cert and save it within an accessible location such as 'C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\certificates\yourcert.cer'

What ports just need to be simply changed to make TLS work?
- New ports created and then bound to the mail server IP address

What are the normal ports used in email TLS....?
- See top image, look for TLS

How do you keep unsecure connections "as is" with TLS turned on?
- Simple leave the old POP/IMAP/SMTP ports bound to the IP Address. My best guess for what you want your IP Bindings to be would be something like this: